Is your school compliant? Have you appointed a Data Protection Officer?

General Data Protection Regulation

GDPR - Solutions for Schools

Be compliant, not complacent

The EU General Data Protection Regulations 2016 (the GDPR), is new legislation which came into effect on the 25 May 2018. It is designed to protect and empower European citizens with regard to their data privacy, and places greater obligations and sanctions on organisations that process (e.g. obtain, use, store, share and destroy) personal data.

This legislation applies to schools and other organisations and will continue to do so even when the UK leaves Europe. The UK has drafted a new Data Protection Bill which will replace our current Data Protection Act 1998 (due to be enacted in 2018), which will ensure the GDPR is ‘Brexit proof’ and will therefore continue to apply to UK organisations after it leaves.

This new legislation is the biggest change in data privacy legislation in 20 years. Although, the Information Commissioner (the UK Data Protection Regulator) has stated it is an “evolution…not a revolution” of our current data protection laws, it does still create significant burdens (resources and financial) on schools, requiring them to overhaul their existing practices for handling personal data about pupils, parents/guardians, employees etc. in order to be compliant.

How does GDPR affect schools?

GDPR is large and complex, so here’s an overview of the key areas which affect schools:

Data Breaches

Notification (Articles 33 and 34)

Under the new legislation, schools are legally required to notify the Information Commissioner’s Office (the ICO) of any breaches of the GDPR, which are likely to result in a risk to the rights and freedoms of individuals. For example, if the breach could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. In such cases, the school must notify the ICO within 72hrs of becoming aware of the breach and carry out a full internal investigation. The school is also required to inform the individual whose personal data has been put at ‘high risk’ as soon as possible

Fines

(Article 83)
GDPR introduces significantly higher financial penalties to organisations that fail to comply. Under the new regulation schools could be fined up to €20 million by the ICO for a breach.

The ICO has new powers to levy these hefty fines and is required by law to ensure that these are ‘effective, proportionate and dissuasive’. When considering whether or not to fine, and how much, the ICO will take into account (amongst other things) the:

nature, gravity and duration of the breach

number of people affected and the level of damage suffered by them

intention or negligence of the person or organisation who caused the breach

actions taken by the organisation to mitigate the damage

previous breaches suffered by the organisation

co-operation of the organisation with the ICO during their investigation

the measures the organisation had in place to protect the data

GDPR sets out the maximum fines the ICO can issue for particular types of breaches. Here are some examples:

Up to €20 Million

Breaching any of the data protection principles

Failing to comply with the conditions for obtaining and managing consent

Failing to notify the ICO of data breaches likely to result in risks to individuals

Compensation

(Article 82)
In addition to fines for data breaches, GDPR provides individuals with the right to compensation if they suffer damage as a result of a breach involving their personal data. It is therefore imperative that schools review how they handle personal data to ensure it is in line with the GDPR, in order to avoid potential fines and compensation claims. As the examples above show, it’s not just about keeping information secure!

Data Protection Officers

(Articles 37-39)
Under GDPR, schools are legally required to appoint a Data Protection Officer (a DPO) for their school; failure to do so could result in a fine up to €10 million. Official guidance states this person should have ‘expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR’ (Article 29 Data Protection Working Party Guidelines).

The Data Protection Officer can be an employee of the school or the school can contract out the post to an external person. The legislation states that the DPO must have the freedom to carry out the role independently and must not have a conflict of interest.

Citizens' Rights

Individuals are given several rights under GDPR, here is a quick summary of some of these rights:

Transparency and information (Articles 12-14)
There are new requirements to publish certain types of information in your Privacy Notices, such as the contact details of your Data Protection Officer; the purpose and lawful basis for processing the information you are collecting; how long you intend to keep the data for; who you will share the data with and so on.

Access to personal data (Article 15)
This is known as a Subject Access Request under the current Data Protection Act. Under GDPR, this right entitles pupils, parents/guardians and employees to receive a copy of the information the school holds on them for free and within one month. Under the current legislation, you can charge £10.00 and you have 40 calendar days to respond, so schools should consider the resource implications of this new change.

It should be noted, this right does not affect or replace the existing rights for parents/guardians of children in maintained schools, to access their child’s education record under the Education (Pupil Information) (England) Regulations 2005.

Rectification and erasure of personal data (Articles 16 and 17)
As with the current Data Protection Act, individuals are entitled under GDPR to have inaccurate personal data rectified or incomplete information completed (which could simply involve adding a supplementary statement to the file).

In addition, individuals are entitled to have their personal data deleted in cases where the data is no longer needed or the individual withdraws consent. This right does not require a school to delete data, upon request, if the school is complying with a legal obligation in holding it, for example if the school is required under statute to collect and retain the data for a certain length of time.

Object to direct marketing (Article 21)
Parents/guardians and pupils have the right not to receive direct marketing, which means that schools will have to gain explicit ‘opt in’ consent before sending out marketing material. This will be relevant in cases where schools target parents/guardians for fundraising; advertise their school prospectus or put advertising literature in pupils’ book bags about other organisations!

Consent

(Article 7)
Most of what schools do, do not require consent from parents/guardians or pupils, however there are some occasions when they must obtain it. For example, if they photograph a school event and publish these images; take pupils on school trips; collect and use biometric information or send direct marketing material to parents/guardians and pupils. Under the new GDPR rules, schools need to demonstrate that consent has been obtained freely, it is specific and not general, the person giving it is fully informed and the consent wording is unambiguous.

Schools are required to keep clear records of all consent they obtain and they must inform individuals of their ‘right to withdraw consent’ at the time, and offer easy ways to do this. When obtaining consent directly from children, schools are required to adapt the wording according to the children’s level of understanding.

Obligations

(Articles 24-32)
There are several obligations and duties for schools to fulfil under GDPR.
These include:

having appropriate and effective data protection policies, procedures and training;

assessing the suitability of companies and contractors who process personal data on behalf of the school, and issuing written contracts to them setting out their data protection obligations and restrictions on the use of the data;

keeping a record of the processing activities of the school e.g. a description of what personal data is collected; why; how long it is kept for; who it is shared with and the security measures in place to keep it safe;

implementing technical measures, policies and procedures that ensure data protection compliance is built into everyday practices, which includes only processing personal data if it is absolutely necessary to do so; keeping it for appropriate timeframes and limiting access to it;

carrying out Data Protection Impact Assessments prior to processing personal data, which could result in high risks to the rights and freedoms of people;

appointing a Data Protection Officer (employee or a contractor) and involving them in all data protection matters and giving them the appropriate resources and support to keep the school compliant.

What should schools be doing now that the new GDPR is in place?

Ensure senior management understand the significance and impact of GDPR on your school, and seek their support and direction on how to prepare for the changes.

Carry out an information audit to identify and record what personal data you hold, where; who you share it with; how long you keep it for and what your lawful basis is for processing it.

Tell employees and other key people that the law is changing and deliver needs based training to them.

Review, update or create policies and procedures which reflect the GDPR changes, particularly in relation to data breach investigation and reporting; privacy notices, obtaining and managing consent and handling requests from individuals exercising their rights.

Appoint a Data Protection Officer – this person must have expert knowledge of data protection law and practices and be able to fulfil the tasks set out in Article 39 of the GDPR. This person can be an employee or an external contractor.

GDPR Solutions for Schools - Help is at hand!

Babcock LDP have teamed up with an experienced public sector data protection consultancy business, to offer schools unique packages which will support you through the GDPR journey- from preparation to post implementation.

The GDPR service we have received from Babcock LDP has been extremely comprehensive. The training provided to all our staff was excellent and vital in raising their awareness of the new legislation. The DPO has provided excellent support to the College and assisted us in becoming ready for the introduction of GDPR.